tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Anyway to enable just all TLS protocols in APR connector?
Date Sat, 18 Oct 2014 00:57:50 GMT
Hash: SHA256


On 10/17/14 4:20 PM, Jeffrey Janner wrote:
>> -----Original Message----- From: Jeffrey Janner
>> [] Sent: Friday, October 17,
>> 2014 3:04 PM To: 'Tomcat Users List' Subject: RE: Anyway to
>> enable just all TLS protocols in APR connector?
>>> -----Original Message----- From: Christopher Schultz
>>> [] Sent: Friday, October 17,
>>> 2014 12:26 PM To: Tomcat Users List Subject: Re: Anyway to
>>> enable just all TLS protocols in APR connector?
> Jeffrey,
> On 10/17/14 1:12 PM, Jeffrey Janner wrote:
>>>>> Documentation for the APR connector says setting
>>>>> SSLProtocol="all" (the default) enables TLSv1+SSLv3, but
>>>>> actually enables TLSv1.1 and TLSv1.2 as well.
> Why do you think that's the case?
>>> Qualys/SSLLabs reports it as such.  Using tomcat 7.0.50 and
>>> latest APR build.
>>>>> However, it only seems to accept SSLProtocol strings that
>>>>> includes TLSv1, SSLv2, SSLv3 or their combinations.
> Correct. Patches are in the works. Tomcat 7 and Tomcat 8 are
> patched; expect new builds soon.
>>>>> In other words, there doesn't seem to be a way to specify
>>>>> that you only want all 3 TLS versions and none of the SSL
>>>>> versions. Is there something I'm missing?
> Nope.
>>>>> FYI: I checked Bugzilla on this, and there seems to be some
>>>>> work progressing on coding support, but it also interjected
>>>>> a regression to turn SSLv2 back on by default.
> This can happen in certain situations, like saying that you want 
> TLSvX+SSLv3 but no TLS versions are supported by OpenSSL. In that 
> case, you get SSLv23 which I believe in OpenSSL means "SSLv3 + 
> SSLv2Hello" which is only as dangerous as SSLv3 right now.
>>> Actually, I was looking at the most recent patch code. It
>>> actually modified to definition of ALL to include SSLv2. I
>>> pointed it out on Bugzilla, but thought I'd mention it here as
>>> well.
>> Chris, when I said most recent, I meant latest posted to the
>> Bugzilla entry when I read it. Just reviewed it again and see
>> that's not the patch you guys are implementing.

Can you check tcnative 1.1.x branch in subversion and Tomcat 7 or 8 in
subversion and let me know how they work for you (or don't)? No reason
to wait until there is an official build for testing.

>>>>> The question is, if there is no current "magic string" that
>>>>> Tomcat will accept to enable full TLS support, is this
>>>>> something we will have to wait for 7.0.57 (and the
>>>>> equivalent 6 & 8 versions) to be able to address?
> Unfortunately, yes. You'll also need to wait for tcnative 1.1.32 as
> well.
>>> With baited breath, but not holding it.

It should be coming soon. I think markt is going to single-handedly
tag+release 3 Tomcat versions plus tcnative on all platforms. ;)

- -chris
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message